MS security plugs not airtight

The patching of Windows 95 and NT to shield them against Internet hacker attacks continues.

3 min read
Microsoft (MSFT) is still struggling to completely patch Windows 95 and NT against Internet hacker attacks.

The company has posted a software patch that protects Windows 95 users from an attack that can crash their computers. The company issued a similar patch for Windows NT last week.

But both the Windows NT and 95 patches aren't complete prophylactics for so-called out-of-band data attacks since both platforms can still be crashed by hackers with Macintosh and Linux computers. Microsoft said today that it hopes to post new patches by tonight that remedy the vulnerability to Mac- and Linux-based attacks.

The current Windows 95 patc--without protection for Mac and Linux attacks--can be downloaded for free from Microsoft's Web site.

This year, Microsoft programmers have been forced to create a medicine chest of software remedies to fix potential security risks in everything from the Internet Explorer browser to PowerPoint to Windows itself. Some security experts believe the company is struggling with deep-rooted vulnerabilities in its OS and Internet technologies.

It's clear that the Internet has made it much easier for enterprising bug-finders to broadcast their discoveries to the press and public over email lists and Web pages. This has put intense pressure on Microsoft's engineering groups to quickly come up with patches.

Other companies, such as Sun Microsystems, have also had to release a number of patches for their technologies, but Microsoft has been especially hard-hit.

A number of security experts believe that Microsoft would have had a hard time avoiding these security problems.

"As a professional programmer, I have a real hard time saying that Microsoft should have seen this coming," said David LeBlanc, senior Windows NT security manager at Internet Security Systems, a developer of security software. "I get hit with this stuff too. With 20/20 hindsight, it's really obvious to see what we did wrong. Trying to take into account all the possibilities that can occur beforehand is not realistic."

In order to exploit the latest vulnerability, Web sites must send a special TCP/IP command known as "out of band data" to port 139 of a computer running Windows 95 or NT. Hackers could also target users' PCs by using one of several programs for Windows, Unix, and Macintosh now circulating on the Net. With one program, called WinNuke, a hacker simply types a user's Internet protocol address and then clicks the program's "nuke" button in order to crash a PC over the Net.

WinKiller is one of several malicious programs circulating on the Internet for "nuking" or crashing Windows 95 and NT computers.

The company's original patch for Windows NT prevents attacks from Unix and other Windows computers. But because of a difference in the way Mac and Linux computers handle the TCP protocol, Microsoft's patch didn't squelch attacks from those operating systems.

A number of users have sent email to CNET's NEWS.COM complaining that their computers were repeatedly crashed as they chatted in Internet relay chat groups. When users are nuked by a hacker, their computer screens often display an error message loosely known as the "blue screen of death."

"The worst part about it is that the delinquents playing with this toy really like to play with it and keep on doing it," said Martin A. Childs, a law student at Louisiana State University in Baton Rouge. "The first time I got hit, I logged on six times before I managed to figure out what was going on."

The original patches for Windows NT versions 4.0 and 3.51 are available on Microsoft's Web site. Last Thursday, the company also posted a collection of software patches, called service pack 3, that contains the NT out-of-band fix.

The out-of-band data attacks also affect users of Windows 3.11, but a company spokeswoman said that Microsoft will not prepare a fix for that platform unless users request one.